It appears that several rules in the 99_asl_jitp.conf file are missing unique ID numbers. We are testing the real-time rules in a shared hosting environment, and it's very important that we are able to disable specific rules when they cause trouble for an individual's site. Here is an example of a rule that's causing a problem that we can't disable:

=====
# Rule 310019: PhpX <= 3.5.9 SQL Injection -> login bypass -> remote command/code execution
SecRule REQUEST_URI "/admin/" chain
SecRule ARGS:username "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from|or user_id=2)" "t:replaceComments"
=====
[Fri Aug 20 09:39:05 2010] [error] [client [REDACTED]] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\\*| |\\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\\*| |\\,]|\\'|union.*select.*from|or user_id=2)" at ARGS:username. [file "/var/asl/rules/99_asl_jitp.conf"] [line "6203"] [hostname "[REDACTED]"] [uri "/admin/admin_users.php"] [unique_id "TG6TiUo1A8sAAH@GW0cAAADX"]
=====
--0ba83576-A--
[20/Aug/2010:09:39:05 --0500] TG6TiUo1A8sAAH@GW0cAAADX [REDACTED] 49892 [REDACTED] 80
--0ba83576-B--
POST /admin/admin_users.php?sid=[REDACTED] HTTP/1.1
Host: [REDACTED]
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; fr; rv:1.9.2. Gecko/20100722 Firefox/3.6.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr-ca,fr;q=0.8,fr-fr;q=0.7,en-ca;q=0.5,en-us;q=0.3,en;q=0.2
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://[REDACTED]/admin/admin_users.php?sid=[REDACTED]
Cookie: PHPSESSID=[REDACTED];
[REDACTED]
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 66

--0ba83576-C--
username=Dreamz%27&mode=edit&submituser=Rechercher+l%27utilisateur
--0ba83576-F--
HTTP/1.1 403 Forbidden
X-Powered-By: PHP/5.2.14
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

--0ba83576-H--
Message: Access denied with code 403 (phase 2). Pattern match "(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from|or user_id=2)" at ARGS:username. [file "/var/asl/rules/99_asl_jitp.conf"] [line "6203"]
Action: Intercepted (phase 2)
Apache-Handler: application/x-httpd-php5
Stopwatch: 1282315145549225 78527 (1540* 6750 -)
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); 201001051959.
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.7a

--0ba83576-Z--
=====

While the comment claims the ID is "310019", disabling that rule does nothing. Any information is appreciated.

You appear to be running rules from January, just upgrade to the latest real time rule release.

The rules were last updated yesterday. I just updated to the ones from today, and it appears that while that particular one is fixed that I was quoting, there are still many without IDs. Just as an example, these are all from the same 99_asl_jitp.conf file:

===========================
# Rule 310019: Orca Blog SQL inj. vuln.
SecRule REQUEST_URI "/blog\?msg=(?:(?:select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[a-z|0-9|\*| |\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[a-z|0-9|\*| |\,]|\'|union.*select.*from)" "t:replaceComments"

# Rule 310019: wormsign
SecRule REQUEST_URI "hacked.*by.*member.*of.*scc"

# Rule 310019: phpMyAdmin Cross-Site Scripting Vulnerabilities
SecRule REQUEST_HEADERS:Host "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript\:)"

# Rule 310019: Nortel SSL VPN Web Interface XSS
SecRule REQUEST_URI "/tunnelform\.yaws" chain
SecRule ARGS:a "(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)"

# Rule 310019: SyntaxCMS XSS vuln.
SecRule REQUEST_URI "/search/\?search_query=*(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=\'javascript)"
===========================

The log entry you provided shows that you are running rules from January, heres the line to look at:

Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); 201001051959.

That last bit is the date of the rule release, which is January 5th, 2010. Are you using the real time rules, or the free unsupported rules?

That is actually present due to this line in our mod_security config:

=========================
SecComponentSignature 201001051959
=========================

The files do appear to be the most recent ones which are obtained using the following script to download the latest from your site:

=========================
#!/bin/bash

USERNAME="[REDACTED]"
PASSWORD="[REDACTED]"

version=`curl -sku $USERNAME:$PASSWORD https://www.atomicorp.com/channels/rule ... on/VERSION | awk -F'=' '/MODSEC_VERSION/ { print $2 }'`

curl -sku $USERNAME:$PASSWORD https://www.atomicorp.com/channels/rule ... ion.tar.gz | tar -zxf -
=========================

In that case, if you have a real time subscription, just update to the latest rules. We put out updates all day long. Also, if you need support you will get much faster response than posting to the forums if you email support@atomicorp.com, or log into the support portal:

https://www.atomicorp.com/portal/

Also, its a good idea to change this line:



To the current version of the rules you have installed (ASL does this automatically). That helps us to know what version you have installed when troubleshooting.